Do your clients have enough (or any) coverage for ransomware attacks?

Businesses in Canada and the United States are increasingly concerned about how they will pay ransomware demands and more than half would like governments to cover damages when future attacks are linked to other nation states, according to a new survey from BlackBerry Limited and Corvus Insurance.

The BlackBerry Cyber Insurance Coverage study found 81% of the 450 North American businesses polled had ransomware coverage limits below the 2021 median ransomware demand amount of $600,000. And although just more than half (55%) currently have cyber insurance, another 28% surveyed said “they intend to acquire coverage shortly.”

Small- to medium-sized businesses (SMBs) are especially feeling the heat. Only 14% of businesses under 1,500 employees report having a coverage limit in excess of $600,000, according to the study released Wednesday by Waterloo, Ont.-based BlackBerry and Boston-based commercial insurer Corvus Insurance (which also offers insurance products in Canada).

A report from global market research firm Forrester estimated a typical data breach costs the average organization $2.4 million to investigate and recover. In the BlackBerry Cyber Insurance Coverage study, more than half (59%) of respondents hoped the government would cover damages when future attacks are linked to nation states (50% of SMB respondents hoped the government would increase financial aid in all ransomware incidents).

“Not only are there more ransomware threats than ever, but the criminals are more ruthless,” said Shishir Singh, executive vice president and chief technology officer of cybersecurity at BlackBerry in a press release. “They will iterate threats and wait patiently in order to extract maximum damage.

iStock.com/Tomas Knopp

“For uninsured and underinsured organizations, this potentially puts them in extreme jeopardy,” Singh said. “The cyber underground is increasingly sharing learnings and partnering to make threats as efficient as possible. It’s vital businesses strengthen their security posture against these threats by supplementing insurance with a prevention-first software approach that lowers their overall risk.”

According to the study, businesses reported cyber insurance coverages are “poorly tailored to their current situation.” More than one-third (37%) of respondents said they aren’t currently covered for any ransomware payment demands, while 43% aren’t covered for auxiliary costs such as court fees or employee downtime.

The study also reignites the longstanding debate over whether organizations should pay ransomware demands or not. According to an annual cybersecurity poll from the Canadian Internet Registration Authority (CIRA) last year, nearly 70% of Canadian organizations facing a ransomware attack in 2020 paid the demands.

Cyber insurance experts told Canadian Underwriter in December 2021 that payment of a ransom demand is really a decision between cyber experts and the insured. However, “industries such as government, higher education, hospitality and law are more likely to pay out the ransoms, as losing access to the data could be truly detrimental,” said Danion Beckford, senior underwriter of professional liability with Burns & Wilcox Canada.

The propensity for businesses to pay ransoms is driven by those who don’t have access to the experts that come with a cyber insurance product, suggested Lindsey Nelson, CFC Underwriting’s cyber development leader. “They will often make the decision to pay because they don’t know what the alternative is.”

However, for a growing number of business leaders, there is a recognition that cyber risk is business risk. The study found 60% of respondents said they would reconsider entering into a partnership or agreement with another business or supplier if the organization did not have comprehensive cyber insurance. Even more (68% of IT decision-makers) were likely to reassess a partner or supplier agreement because of their cybersecurity practices.

Feature image by iStock.com/tommy